Vendor Management is receiving a lot of attention due to the increase of outsourced technology services. Vendors can provide great value, but they can also introduce a high level of risk. The 3rd annual “Data Risk in the Third-Party Ecosystem” study released by the Ponemon Institute found that 59 percent of companies surveyed reported a data breach by the action of a vendor.
If you’re part of a large organization that doesn’t have an established vendor management program, your head is probably spinning thinking about all your vendors and how to assess them. Even in smaller companies it can be an overwhelming task. It takes time to mature a vendor management program, so take a deep breath and follow these steps to get started.
1. Identify Your Vendors
Work with each business unit or department to develop a list of their IT vendors. It is also important to get a short description of the type of service being provided. If you are part of a large organization, it is best to start with critical IT vendors.
If you answer YES to any of the following questions about a vendor, add them to the critical list.
- Does the vendor have access to your organization’s network or systems?
- Does the vendor have access to your organization’s data?
- Does the vendor have access to Personal Identifiable Information (PII), Personal Health Information (PHI), etc.?
- Does the vendor have an impact on the availability of your systems/data or play a critical role in keeping the business running?
2. Prioritize Your Vendors
Once you have identified your vendors and categorized them based on access level, identify the criticality of the service they provide. If their services became unavailable to you, how would that impact your organization? How long could your organization continue doing business without their service? Your vendor’s ability to respond to a crisis or disaster may have a direct effect on your organization’s business continuity efforts. Prioritize your list of vendors to match their importance to your business operations.
3. Create a Schedule and Process
Most organizations don’t have the time or resources to simultaneous audit all their vendors. If necessary, create a schedule to extend the efforts over the course of a year. From your prioritized list, create a timeline that outlines which vendors you are going to audit and when. You may start with only 2-3 vendors a month, and that is okay.
The second part is to create a process and a plan that includes at a minimum the following:
- Establish the owner of the vendor relationship. This individual is responsible for communicating with the vendor, collecting the information, staying on schedule, etc.
- Understand the type of information you will be requesting. This could be compliance/security reports (SOC2, HITRUST, ISO, etc.) or your organization may require the vendors to complete a security questionnaire.
- Create a form to document the assessment and track results. This form can be provided as evidence for the vendor review during a compliance audit.
- Know where the information will be stored. Designate a central repository for all information pertaining to that vendor. This helps to keep the assessment organized and efficient.
4. Track & Monitor Vendors
You will likely identify at least one vendor that doesn’t adhere to best practices to adequately safeguard your organization. If you decide to continue with their service, make sure they have a remediation plan for the security gap and track their progress to ensure a timely resolution. Vendor management is an ongoing process. Some gaps can take months to resolve, so having a process in place to track them will help immensely.
These steps give you a high-level overview of auditing your vendors. Critical IT vendors should be audited on at least an annual basis to ensure their security is evolving with growing threats. Keep in mind, it takes time to mature a vendor management program. It’s impossible to eliminate all risk from your vendors, but there are ways to manage it.
For help with Vendor Management and Information Security Assessments: